Received an e-mail, a friend think I misunderstood Nf-hipac, such a high-performance algorithm how can be what traditional hash,tree such coercion. Yes, Hipac is a very fierce algorithm, the document is also relatively small, which adds to its mystery, but it does not mean that it is not understandable, on the contrary, its thinking is simple.
Hipac algorithm is essentially a priority-based interval matching algorithm, how to understand it? We define the match field as a continuous interval, then each rule defines a sub-interval of that interval, and if multiple rules cover the same sub-range, then a priority problem is involved, which is useful in the firewall's access control list, where there are multiple rule cases, The rule that is defined first has the highest precedence. It is better to use a picture to indicate the above statement:
In, there are 5 rule definitions, where Rule1 has the highest priority and Rule5 has the lowest priority, indicating that the lower-to-upper priority is reduced progressively on the graph. As shown, each interval is matched as follows:
Interval 1: Matching Rule5;
Interval 2: Matching rule3,rule5;
Interval 3: Matching rule2,rule3,rule5;
Interval 4: Matching rule2,rule3,rule4,rule5;
Interval 5: Matching rule1,rule2,rule3,rule4,rule5;
Interval 6: Matching rule1,rule3,rule4,rule5;
Interval 7: Matching rule1,rule4,rule5;
Interval 8: Matching rule1,rule4;
Interval 9: Matching Rule4;
Interval 10: no rule match!
If a match falls in the interval 5, which rule does it match? In the interval 5 from bottom to top through a line, the first penetrating is Rule1, because it has the highest priority, so it matches the Rule1; If a match falls in the interval 2, it is first run through the Rule3 from bottom to top, so it matches Rule3; If a match falls in the interval 1, So because it only runs through the Rule5, so it matches the Rule5; if it falls in the interval 10, I'm sorry, no rule is running through, no rules are matched!
This is basically the case! So maybe you'll ask, what if there's more than one match? For example, the following rules, of course, I would like to use our most familiar iptables example, although I want to transplant Hipac to Iptables also need a few weekends:
Iptables-a forward-s $ip 1-d $ip 2-p udp-j DROP
In this rule, I showed a total of 3 match, which is ip1,ip2,udp, so I need 3 of the above figure? Yes! This is the so-called multidimensional Hipac match, just a word, I do not like the extension of the definition. Since the first diagram has ruled out several rules in some intervals, many of the rule in the latter diagram will not have to be drawn.
In order to show the sorting process, I drew a relatively simple figure, a total of 3 match, the specific matching process is in the diagram, no longer use the text to elaborate:
About the HIPAC algorithm is to say that the priority matching is the key, if you still need to continue matching match, we say is to extend a dimension, look down the tree continue down, if you do not need to continue matching match, then the current interval from the bottom up through a line, The rule that first touches is the one that matches. A lot of the rule is drawn as a dashed line, because the rule has been excluded from the previous level or dimension, so the dashed line should be ignored when drawing through the lines.
If you understand this process, you will find it is super efficient, no backtracking, no need to rely on complex hash algorithm, without relying on the degree of hash hash, and input data independent, how many matches there are how many layers, as to how to maintain the algorithm, that is the implementation of the problem. This is essentially a tree-type data structure, and the trick is in its structure.
This article only gives an overview, as for the HIPAC algorithm insert, delete, find, behind a very complex mathematical principle, as engineering and technical personnel, understand these mathematics is necessary, although about hipac howto not much, but related papers still a lot of.
In order to reply to an e-mail, and wrote an article, the wife and mother in the "red sorghum" the big ending, little in play ipad, I draw that complex diagram on the table, this is not the benefits of alcohol, or at this time I estimate again in the dream of roaming .... Day busy day, for the forum and friends from afar, I still Bing, it is learning. However, I still hope to get home at night no longer move any technical problems, at first forcing themselves at night no longer drink not to engage in network technology, nor to write code, but want to give themselves power, enrich their own, see history, Wash the soul, such as can also learn to cook, decorating design and so on.
The search process of Hipac high performance rule matching algorithm
